Professional Documents
Culture Documents
Objectives
Risk?
exploits
Vulnerability
causes
Impact
concerns
Asset
Asset
Threat
Vulnerability
Impact
Confidentiality
Integrity
Availability
Impacts?
Confidentiality
Integrity
Availability
ISO/IEC 27005
Tudors activities
Formation(s) 27001
Analyse carts 27001
Maturer/Packager
Dcliner en
niveaux/Packager
Dcliner en
niveaux/Packager
Mthodologie + template
Toolbox
Evaluation de la maturit
en scurit de
linformation
Maturer/Packager
Mthodologie + outil de
mesure
Maturer/Packager
Dcliner en
niveaux/Packager
SaaS
WEB
Implmentation dun
SMSI
Guide dimplmentation
27001 + templates
FOURNISSEURS
10
Process
11
Process
12
Context establishment
Basic Criteria
The scope and boundaries
Organization for IRSM
13
14
15
Risk level
Unimportant risk
Risk
Goal:
16
17
Integrity
Availability
Public
No constraint
No constraint
Restricted
Change visible
Unavailable 1 week/year
Very restricted
Change reduced
Unavailable 1 day/year
Secret
Always available
Goal:
18
Vulnerability
Explanation
0
19
10
12
15
20
Threat = 3
Vulnerability = 1
Impact = 3
RL = 3 * (3 + 1 - 1) = 9
Max(I) * (T+V-1)
10
12
15
21
22
Must be documented
23
Process
24
Risk assessment
Risk analysis
Risk identification
Risk estimation
Risk evaluation
25
Owner identification
Value determination
26
Integrity
Availability
Public
No constraint
No constraint
Restricted
Change visible
Unavailable 1 week/year
Very restricted
Change reduced
Unavailable 1 day/year
Secret
Always available
27
Deliberate
Accidental
28
29
Risk evaluation
Comparison
Max(I) * (T+V-1)
10
12
15
30
Process
31
Risk treatment
4 choices
Risk Reduction
Risk Retention
Risk Avoidance
Risk Transfer
Risk
treatment
Risk
Reduction
Risk
Retention
Risk
Avoidance
Risk
Transfer
Can be combined
Results on a risk treatment plan
32
33
Risk is accepted
Negative ROSI
Risk-taking
34
Risk is refused
Generally if the risk is too high and that no costeffective solution is found
35
Outsourcing
Insurance
36
Process
37
Risk acceptance
Residual risks
38
Process
39
Risk communication
Continuous step
Obtain and communicate with all the stakeholders
40
Process
41
Continuous step
Risks are constantly changing, all risk equation
elements must be tracked!
New assets
New threats
New vulnerabilities
Incidents
Etc.
42
Any questions?
jocelyn.aubert@tudor.lu
TAO Workshop on CBA Security
43